package com.nimbusds.infinispan.persistence.dynamodb;

import com.amazonaws.services.dynamodbv2.document.Item;
import com.nimbusds.common.store.StoreException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import net.jcip.annotations.Immutable;
import org.erdtman.jcs.JsonCanonicalizer;

@Immutable
/* loaded from: input_file:com/nimbusds/infinispan/persistence/dynamodb/ItemHMAC.class */
final class ItemHMAC {
    public static final String ATTRIBUTE_NAME = "_hmac#s256";
    private final SecretKey hmacKey;

    public ItemHMAC(String str) throws InvalidKeyException {
        this(str != null ? Base64.getDecoder().decode(str) : null);
    }

    public ItemHMAC(byte[] bArr) throws InvalidKeyException {
        this(bArr != null ? new SecretKeySpec(bArr, "HmacSHA256") : null);
    }

    public ItemHMAC(SecretKey secretKey) throws InvalidKeyException {
        this.hmacKey = secretKey;
        if (secretKey != null && secretKey.getEncoded().length < 32) {
            throw new InvalidKeyException("The HMAC SHA-256 key must be at least 256 bits long");
        }
    }

    public byte[] compute(Item item) throws NoSuchAlgorithmException, InvalidKeyException {
        if (this.hmacKey == null) {
            return null;
        }
        try {
            byte[] bytes = new JsonCanonicalizer(item.toJSON()).getEncodedString().getBytes(StandardCharsets.UTF_8);
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(this.hmacKey);
            return mac.doFinal(bytes);
        } catch (IOException e) {
            throw new StoreException(e.getMessage(), e);
        }
    }

    public Item apply(Item item) throws InvalidKeyException, NoSuchAlgorithmException {
        byte[] compute = compute(item);
        return compute == null ? item : item.withBinary(ATTRIBUTE_NAME, compute);
    }

    public Item verify(Item item) throws InvalidHMACException, InvalidKeyException, NoSuchAlgorithmException {
        if (this.hmacKey == null) {
            return item;
        }
        if (!item.hasAttribute(ATTRIBUTE_NAME)) {
            throw new InvalidHMACException("Missing item HMAC attribute");
        }
        byte[] binary = item.getBinary(ATTRIBUTE_NAME);
        Item removeAttribute = item.removeAttribute(ATTRIBUTE_NAME);
        if (MessageDigest.isEqual(binary, compute(removeAttribute))) {
            return removeAttribute;
        }
        throw new InvalidHMACException("Invalid item HMAC");
    }
}
